When It Comes to Cyber Security, Lack of Vendor Oversight Can Lead to Legal Trouble
By Seth Jaffe.
Third-party cyber security programs got a shot in the arm this week in the form of two legal actions.
The first, well summarized by Sue Ross over at Norton Rose Fulbright, is a proposed consent agreement by the Federal Trade Commission against mobile phone manufacturer BLU Products, Inc., alleging that BLU’s failure to oversee its vendor’s security practices amounts to a violation of Section 5 of the FTC Act. FTC consent orders are generally 20 years in length, and require adherence to a strict “never-let-this-happen-again” program. Indeed, BLU would have to implement a comprehensive data security program with a biennial assessment and all sorts of compliance obligations. In short, consent decrees come with an operational and monetary sting, and violation of one can find the company staring down the barrel of steep fines (see, e.g. FTC Commissioner Chopra’s memo calling for more serious penalties for violations of consent orders).
The second, as described by Kevin LaCroix on the D&O Diary, is a settlement in the shareholder derivative suit against Wendy’s for a 2016 data breach caused by the compromise of third-party credentials. We’ve seen a number of these derivative suits before, such as against Wyndham, Target, and Home Depot, where a shareholder steps into the shoes of the company and sues the directors. Unsuccessful in previous cases, Wendy’s had a different outcome. If adopted, Wendy’s would agree to implement remedial and prophylactic cyber security measures, form a cyber executive steering committee, and push cyber obligations down to franchisees. Oh, and pay the plaintiff’s attorneys’ fees of nearly $1M.
Because both cases are settlements, we don’t know what pressure was being applied to the defendants. Perhaps this is the beginning of a shift toward holding companies more accountable for the cyber missteps of their vendors. In the present, there are a number of steps companies can take, such as beefing up their contractual security provisions, conducting security audits of vendors, network isolation, vendor access control, and log management, to name a few. For a more comprehensive list, feel free to reach out to one of LEO’s experienced CISOs.
Seth is our official rocket scientist in residence. Hailing from NASA’s Mission Control Center, Seth brings a unique perspective to incident response, applying aspects of one of the world’s preeminent emergency operations platforms to cyber response. In addition to twenty-plus years’ of technical experience, Seth was previously a member of the data protection task force at a large law firm, and served as the lead Legal team member of an incident response team at a major U.S. airline. Seth is a certified business continuity professional, and he holds a juris doctorate, which is why he also wears the General Counsel hat at LEO.